Toward trusted container networking: hardware enforced secure network isolation

Abstract

As containerization emerges as a lightweight virtualization technology for cloud services, the security of containers has become an important subject especially in inter-container networking, which is the basis of the modern microservice architecture. On the one side, inter-container networking enables large-scale microservice deployment, on the other side, it opens a new window for adversaries who own a compromised container to paralyze neighboring containers through network-level attacks. In spite of such threats, today’s security solutions for containers not only degrade network performance but also have severe security holes in protecting containers from such network-level attacks. To address such problems, we present Hyperion, a novel hardware-assisted network isolation and security enforcement system for inter-container communications. This system effectively protects containers from a wide range of network attacks by complementing the security holes in today's solutions while ensuring network performance. Hyperion provides agile-yet-secure inter-container networking through (i) physically isolated communication channels for containers using its secure networking bridge on a physical NIC and (ii) three security features (i.e., source signing, hardware-offloaded policy enforcement and payload inspection). Our evaluation shows that Hyperion prevents a variety of network attacks initiated from both container- and host-side, and it performs six times faster than the state-of-the-art security solutions.